Data validation generally refers to a process for ensuring that a computer program operates on sanitized, accurate, and meaningful data. Data validation techniques generally employ routines (also known as “validation rules” or “check routines”) that perform checks on input data to ensure its accuracy and meaningfulness.
Data validation is a critical component of information security generally and is particularly relevant to the field of network security. Various applications such as web applications, for example, provide functionality for accepting and processing user input data. Web forms may be provided as part of a web application and have become a common mechanism for submitting and receiving input data via public or private networks. Various forms of malicious attack such as cross-site scripting (XSS) and Structured Query Language (SQL) injection attacks, for example, take advantage of a web application's laxity in checking the input values that are passed to the web application.
XSS refers to a vulnerability typically found in web applications that allows attackers to bypass client-side security mechanisms normally imposed on web content by web browsers and inject malicious scripts into web pages that allow the attacker to gain elevated-access privileges to sensitive page content, session cookies, and a variety of other information. SQL injection is a form of malicious attack often used to attack a database through a website, and involves including portions of SQL statements in a web form entry field to cause the website to pass a rogue SQL command to the database to produce malicious effects (e.g., modifying or erasing database contents, dumping database contents to the attacker, etc.).
If mechanisms for validating and sanitizing input data are not in place, these types of malicious data attacks may have a devastating impact on the security of data and the systems that store and operate on that data. However, although data validation is critical to ensuring the accuracy of data and for protecting against malicious data attacks, it is often inconsistently built into web applications. Moreover, even if data validation logic is directly coded into applications, new patterns of attack require individual updates to each application's code, a cumbersome and time consuming process prone to error.
Scripting languages that operate on a web user's device allow for the dynamic creation and modification of a web page within a web browser running on the user's device, and may, on occasion, perform limited pre-validation of web form data. However, data validation performed by client-side scripting languages suffers from the same drawbacks associated with built-in web application validation logic, that is, inconsistent use and the need to individually update code on each user's device to protect against new patterns of attack.
Application Firewalls (AFs) are firewalls that control input, output, and/or access from, to, or by an application or service. Network-based application layer firewalls are computer networking firewalls that operate at the application layer. While some network-based firewalls may be capable of performing input data validation, such firewalls are not integrated into client applications and must be individually configured for each application for which they provide data validation and sanitization services. As such, network-based application layer firewalls do not address the disadvantages noted above with respect to other data validation mechanisms.